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What is claimed is : 



A method for filtering packets, comprising: 

2 receiving a packet sent from a first device to a second device; 

3 authenticating an identifier for said packet; 

4 determining whether to senp said packet to said second device; and 

5 sending said packet to said/second device in accordance with said 

6 determination. / 

1 2. The method of claim 1, wherein said determining comprises: 

2 comparing said identifier to a list of identifiers; 

3 retrieving at least one policy rule; 

4 determining whether to/send said packet to said second device in accordance 

5 with said comparison and saidf policy rule. 

1 3. The method of claim L wherein said identifier is a common host identifier. 

1 4. The method of claim! 1, wherein said authenticating is performed in accordance 

2 withlPSEC standards. 

1 5. The method of claim 1, wherein said authenticating comprises: 

2 retrieving a pointer to a security association from an authentication header 

3 from said packet; 

4 retrieving a key associated with said security association; and 

5 determining whether said packet is authentic using said key. 
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1 6. The method of claim 5, whertin said identifier is not authentic, further 

2 comprising sending a first message tp a third device indicating said identifier is not 

3 authentic. 

1 7. The method of claim 5, wherein said authentication header is an IPSEC 

2 authentication header. 



1 8. 



The method of claim 1, w 



2 receiving, further comprising deciypting said packet prior to authenticating. 



1 9. The method of claim 8, 

2 one of group of cryptographic tei 

3 RSA. 



erein said packet is encrypted prior to said 



wHerein said packet is encrypted and decrypted using 
dhniques comprising DES, triple DES, HMAC and 



1 10. The method of claim 1 , u herein said policy rule is stored in a policy 

2 configuration file at said second ievice. 



1 ^JJ^ A machine-readable men ory whose contents cause a computer system to 

2 perform packet filtering, by per brming the steps of: 

3 receiving a packet sent from a first device to a second device; 

4 authenticating an identifier for said packet; 

5 determining whether to send said packet to said second device; and 

6 sending said packet to sajid second device in accordance with said 

7 determination. 
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1 12. The machine-readable memory of claim 11, wherein said determining 

2 comprises: 

3 comparing said identifier to A list of identifiers; 

4 retrieving at least one policy/ rule; 

5 determining whether to send said packet to said second device in accordance 

6 with said comparison and said polipy rule. 

1 13. The machine-readable me/nory of claim 11, wherein said identifier is a 

2 common host identifier. 

1 14. The machine-readable memory of claim 11, wherein said authenticating is 

2 performed in accordance withfflPSEC standards. 



1 15. The machine-readablq memory of claim 11, wherein said authenticating 

2 comprises: 

3 retrieving a pointer tb a security association from an authentication header 

4 from said packet; 



5 
6 



retrieving a key associated with said security association; and 



determining whether 



said packet is authentic using said key. 
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1 16. The machine-readable memory of claim 15, wherein said identifier is not 

2 authentic, further comprising sendi lg a first message to a third device indicating said 

3 identifier is not authentic. 

1 17. The machine-readable memory of claim 15, wherein said authentication header 

2 is an IPSEC authentication header. 

1 18. The machine-readable memory of claim 11, wherein said packet is encrypted 

2 prior to said receiving, further comprising decrypting said packet prior to 

3 authenticating. / 

1 19. The machine-readable memory of claim 18, encrypted and decrypted using one 

2 of group of cryptographic techniques comprising DES, triple DES, HMAC and RSA. 

1 20. The machine-readable riemory of claim 11, wherein said policy rule is stored 

2 in a policy configuration file a said second device. 
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1 ^fT A packet filter for a distributed firewall, comprising: 

2 an input means coupled to said first network for receiving a data packet from a 

3 first device, said data packet havmg an encrypted common host identifier; 

4 a first buffer coupled to said input means for storing said received packet; 

5 a first memory segment jcontaining a list of common host identifiers and at 

6 least one policy rule; 

7 a second memory segmjbnt for storing a program for decrypting said common 

8 host identifier, authenticating said common host identifier, and determining whether to 

9 send said packet to a second device based on said list and said policy rule; 

10 a processor coupled tp said first buffer, said first memory segment and said 

11 second memory segment foij executing said program; and 

12 an output means coupled to said first buffer for forwarding said compared data 

13 packet to said second devi^ based on said comparison. 

1 22. The apparatus of claim 1, further comprising a second buffer for storing said 

2 compared data packet prior to forwarding said compared data packet to the second 

3 device. / 

1 23. The apparatus of claim wherein said random access memory comprises 

2 dynamic random access mer 

1 24. The apparatus of p/$n 23, further comprising a non- volatile random access 

2 memory for storing pax^atars^used by said operating system program. 

1 25. The apparatus pficlaim 24, further comprising means for receiving an updated 

2 list of origination addresses. 
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1 26. The apparatus of claii& 25, wherein said means for receiving comprises an 

2 asynchronous terminal device and a serial port coupled to said dynamic random access 

3 memory. 



1 27. The apparatus 

2 network interface card 



/herein said means for receiving comprises a 
led to said dynamic random access memory. 



1 28. The apparatus of claim 21, wherein said first network is a wireless network, 

2 and said input me^uis comprises means for receiving said data packets from said 

3 wireless network 




A distributed firewallf system, comprising: 
a first network device; 

a second network device in communication with said first network device; 
a packet filter processor for each network device; 

an encryption me^ns coupled to said packet filter processor, said encryption 
means for decrypting aqti authenticating a packet sent between said first network 
device and said second jhetwork device; and 

a system management module to manage said packet filter processors. 
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